From c54ec0ba0c9f8ed178ecaac57d6303896343d9da Mon Sep 17 00:00:00 2001 From: Admin MPCZ Date: Tue, 28 Apr 2026 00:26:29 +0200 Subject: [PATCH] fix(qualys/agents): test connectivite DIRECT vers qagpublic.qg1.apps.qualys.eu (pod EU1 SANEF) - pas de proxy car agent sort en direct --- app/services/realtime_audit_service.py | 71 +++++++++----------------- 1 file changed, 24 insertions(+), 47 deletions(-) diff --git a/app/services/realtime_audit_service.py b/app/services/realtime_audit_service.py index 9cc813a..b2dadc8 100644 --- a/app/services/realtime_audit_service.py +++ b/app/services/realtime_audit_service.py @@ -618,27 +618,20 @@ QUALYS_AGENT_CMDS = { "grep -iE 'http_proxy|https_proxy' /etc/environment 2>/dev/null || echo '(aucune)'" ), "qualys_connectivity": ( - # Proxy SANEF: FQDN puis fallback IP si DNS interne KO - "PROXY=http://proxy.sanef.fr:8080; " - "if ! getent hosts proxy.sanef.fr >/dev/null 2>&1; then " - " PROXY=http://10.40.10.225:8080; " - " echo '(DNS proxy.sanef.fr KO -> fallback IP 10.40.10.225)'; " - "fi; " - "echo \"Proxy utilise: $PROXY\"; echo; " - "for url in https://qualysagent.qualys.eu https://qualysguard.qualys.eu; do " - " echo \"=== $url (via proxy) ===\"; " - " if command -v curl >/dev/null 2>&1; then " - " curl --connect-timeout 5 -sS -x \"$PROXY\" -o /dev/null -w 'HTTP %{http_code} | %{time_total}s\\n' \"$url\" 2>&1 || echo 'ECHEC via proxy (proxy down ? auth requise ? URL bloquee ?)'; " - " elif command -v wget >/dev/null 2>&1; then " - " https_proxy=$PROXY wget --timeout=5 --tries=1 --spider \"$url\" 2>&1 | grep -E 'response|connecting|failed' | head -3; " - " else " - " echo '(ni curl ni wget disponibles)'; " - " fi; " - "done; " - "echo; echo '=== Test direct sans proxy (info diagnostic) ==='; " + # L'agent Qualys SANEF sort en DIRECT (pas via proxy). Endpoint reel: qagpublic.qg1.apps.qualys.eu (pod EU1) + "echo '=== DNS resolution qagpublic.qg1.apps.qualys.eu ==='; " + "(getent hosts qagpublic.qg1.apps.qualys.eu 2>/dev/null || nslookup qagpublic.qg1.apps.qualys.eu 2>/dev/null | tail -3) || echo 'DNS KO'; " + "echo; echo '=== TCP/443 direct vers qagpublic.qg1.apps.qualys.eu (endpoint reel agent) ==='; " "if command -v curl >/dev/null 2>&1; then " - " curl --connect-timeout 3 -sS -o /dev/null -w 'qualysagent direct: HTTP %{http_code} | %{time_total}s\\n' https://qualysagent.qualys.eu 2>&1 || echo 'route directe KO (normal sur LAN SANEF, sortie via proxy obligatoire)'; " - "fi" + " curl --connect-timeout 5 -sS -o /dev/null -w 'HTTP %{http_code} | IP %{remote_ip} | %{time_total}s\\n' " + " https://qagpublic.qg1.apps.qualys.eu/ 2>&1 || echo 'CONNEXION DIRECTE ECHEC (flux 443 sortant bloque ?)'; " + "elif command -v openssl >/dev/null 2>&1; then " + " timeout 5 openssl s_client -connect qagpublic.qg1.apps.qualys.eu:443 -servername qagpublic.qg1.apps.qualys.eu &1 | grep -E 'CONNECTED|verify return|subject=' | head -3 || echo 'openssl FAIL'; " + "else echo '(curl/openssl absents)'; fi; " + "echo; echo '=== Test fallback qualysguard.qualys.eu (console UI) ==='; " + "command -v curl >/dev/null 2>&1 && curl --connect-timeout 5 -sS -o /dev/null -w 'HTTP %{http_code} | %{time_total}s\\n' https://qualysguard.qualys.eu/ 2>&1 || echo 'KO ou curl absent'; " + "echo; echo '=== Connexions actives Qualys (process en cours) ==='; " + "(sudo -n ss -tnp 2>/dev/null || ss -tnp 2>/dev/null) | grep -i qualys | head -5 || echo '(aucune connexion active de l agent Qualys)'" ), "lvm_info": ( "echo '=== Volume Groups (espace libre dans le VG) ==='; " @@ -757,35 +750,19 @@ def _analyze_qualys_audit(r): }) # Connectivité KO - if any(k in s_conn for k in ["echec via proxy", "connection refused", "timed out", - "could not resolve", "no route", "unreachable"]): + if any(k in s_conn for k in ["connexion directe echec", "connection refused", "timed out", + "could not resolve", "no route", "unreachable", "dns ko"]): suggestions.append({ "severity": "high", - "title": "Connectivité Qualys cloud KO", - "fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, " - "fallback IP 10.40.10.225). Tester :\n" - "curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n\n" - "Si proxy KO côté infra : ouvrir ticket réseau." - }) - - # Proxy agent Qualys non configuré - s_pxc = (r.get("qualys_proxy_config") or "").lower() - if s_pxc and "proxy.sanef.fr" not in s_pxc and "10.40.10.225" not in s_pxc: - suggestions.append({ - "severity": "high", - "title": "Agent Qualys : proxy SANEF non configuré", - "fix": "L'agent doit utiliser le proxy SANEF pour atteindre qualysagent.qualys.eu.\n\n" - "Méthode 1 — fichier dédié Qualys (recommandé, persiste aux màj agent) :\n" - "echo 'https_proxy=http://proxy.sanef.fr:8080' | sudo tee /etc/qualys/cloud-agent/qagent-proxy.conf\n" - "sudo systemctl restart qualys-cloud-agent\n\n" - "Méthode 2 — drop-in systemd :\n" - "sudo systemctl edit qualys-cloud-agent\n" - "# Ajouter :\n" - "[Service]\n" - "Environment=\"https_proxy=http://proxy.sanef.fr:8080\"\n" - "Environment=\"http_proxy=http://proxy.sanef.fr:8080\"\n" - "# Puis :\n" - "sudo systemctl daemon-reload && sudo systemctl restart qualys-cloud-agent" + "title": "Connectivité Qualys cloud KO (flux direct bloqué)", + "fix": "L'agent Qualys SANEF se connecte EN DIRECT (pas via proxy) à " + "qagpublic.qg1.apps.qualys.eu:443 (pod EU1). Si la connexion échoue :\n\n" + "1. Vérifier route directe sortante 443/TCP depuis ce serveur vers cet endpoint.\n" + "2. Test depuis le serveur :\n" + " curl -v --connect-timeout 5 https://qagpublic.qg1.apps.qualys.eu/\n" + "3. Comparer avec un serveur où l'agent fonctionne (mêmes flux ouverts ?).\n" + "4. Si bloqué côté infra : ouvrir ticket réseau pour ouvrir 443/TCP " + "vers *.apps.qualys.eu (ou IP 64.39.x.x range Qualys EU)." }) if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn: suggestions.append({